1

I created a PHP page that is allowed only for one person, That's OK but when the non allowed user write in address bar view-source:tstwebsite.com/test/page.php it shows the user the source of the page can I block the source code from the user? this is my code that allow this page only for one user.

$aiwab = mysql_query("SELECT * FROM `table`");
while($aiwa = mysql_fetch_array($aiwab)){
$alo = $aiwa['allowed'];
if ($alo == 2 ){

}else{
echo "<script>javascript:history.go(-1)</script>";
}
}

So how Can I block the user from viewing the source code?

Improve this question
2
  • Only by using sessions and introducing an authentication mechanism in your PHP code. Commented Jul 4, 2013 at 19:36
  • 1
    use mysqli or pdo for queries! Commented Jul 4, 2013 at 19:39

2 Answers 2

Reset to default
5

Using javascript to "block" a user is, frankly, stupid. javascript can be disabled/ignored/bypassed, exactly as you've seen with your view-source "hack". "Security" can never be established if you're relying on the CLIENT to cooperate.

Use proper server-side authentication, e.g. even HTTP basic authentication, to protect the script.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

In other words, if you've sent the data to the client and then you do your security check, you're doing it in the wrong order.
2

If you just want to quickly change this from client-side authentication to server-side, then you could make the following change:

if ($alo == 2) {

}
else {
    // Redirect them by sending a HTTP Location header
    header("Location: www.yourdomain.com/path/to/another/page");
}

Note that the above solution will only work if header() is called before any output is sent to the browser (HTTP headers have to be sent before the body of the message begins). This functions very similarly to your current solution, with the difference that the redirect is caused by code on the server rather than in the browser. view-source lets someone get around your authentication as it allows them to load the page in their browser, without running the client side code.

This is just a quick fix that should help illustrate the difference between client side and server side authentication. If this is for anything beyond just messing about and learning a little code, then you should really be learning more about security. Also note that the mysql functions you're using are currently deprecated and you should instead be using mysqli, or pdo

You will also want to read up on the uses of client-side versus server-side code, just to get a grasp of what to use for what tasks and why.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.